--- /dev/null
+/*
+ * Copyright (c) 1999-2001,2005-2008,2010-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * sslHandshakeHello.c - Support for client hello and server hello messages.
+ */
+
+#include "sslContext.h"
+#include "sslHandshake.h"
+#include "sslMemory.h"
+#include "sslSession.h"
+#include "sslUtils.h"
+#include "sslDebug.h"
+#include "sslCrypto.h"
+
+#include "sslDigests.h"
+#include "cipherSpecs.h"
+
+#include <string.h>
+
+/* IE treats null session id as valid; two consecutive sessions with NULL ID
+ * are considered a match. Workaround: when resumable sessions are disabled,
+ * send a random session ID. */
+#define SSL_IE_NULL_RESUME_BUG 1
+#if SSL_IE_NULL_RESUME_BUG
+#define SSL_NULL_ID_LEN 32 /* length of bogus session ID */
+#endif
+
+OSStatus
+SSLEncodeServerHello(SSLRecord *serverHello, SSLContext *ctx)
+{ OSStatus err;
+ UInt8 *charPtr;
+ int sessionIDLen;
+ size_t msglen;
+ int head;
+
+ sessionIDLen = 0;
+ if (ctx->sessionID.data != 0)
+ sessionIDLen = (UInt8)ctx->sessionID.length;
+ #if SSL_IE_NULL_RESUME_BUG
+ if(sessionIDLen == 0) {
+ sessionIDLen = SSL_NULL_ID_LEN;
+ }
+ #endif /* SSL_IE_NULL_RESUME_BUG */
+
+ msglen = 38 + sessionIDLen;
+
+ /* this was set to a known quantity in SSLProcessClientHello */
+ assert(ctx->negProtocolVersion != SSL_Version_Undetermined);
+ /* should not be here in this case */
+ assert(ctx->negProtocolVersion != SSL_Version_2_0);
+ sslLogNegotiateDebug("===SSL3 server: sending version %d_%d",
+ ctx->negProtocolVersion >> 8, ctx->negProtocolVersion & 0xff);
+ sslLogNegotiateDebug("...sessionIDLen = %d", sessionIDLen);
+ serverHello->protocolVersion = ctx->negProtocolVersion;
+ serverHello->contentType = SSL_RecordTypeHandshake;
+ head = SSLHandshakeHeaderSize(serverHello);
+ if ((err = SSLAllocBuffer(&serverHello->contents, msglen + head, ctx)) != 0)
+ return err;
+
+ charPtr = SSLEncodeHandshakeHeader(ctx, serverHello, SSL_HdskServerHello, msglen);
+
+ charPtr = SSLEncodeInt(charPtr, serverHello->protocolVersion, 2);
+
+ #if SSL_PAC_SERVER_ENABLE
+ /* serverRandom might have already been set, in SSLAdvanceHandshake() */
+ if(!ctx->serverRandomValid) {
+ if ((err = SSLEncodeRandom(ctx->serverRandom, ctx)) != 0) {
+ return err;
+ }
+ }
+ #else
+ /* This is the normal production code path */
+ if ((err = SSLEncodeRandom(ctx->serverRandom, ctx)) != 0)
+ return err;
+ #endif /* SSL_PAC_SERVER_ENABLE */
+
+ memcpy(charPtr, ctx->serverRandom, SSL_CLIENT_SRVR_RAND_SIZE);
+
+ charPtr += SSL_CLIENT_SRVR_RAND_SIZE;
+ *(charPtr++) = (UInt8)sessionIDLen;
+ #if SSL_IE_NULL_RESUME_BUG
+ if(ctx->sessionID.data != NULL) {
+ /* normal path for enabled resumable session */
+ memcpy(charPtr, ctx->sessionID.data, sessionIDLen);
+ }
+ else {
+ /* IE workaround */
+ SSLBuffer rb;
+ rb.data = charPtr;
+ rb.length = SSL_NULL_ID_LEN;
+ sslRand(ctx, &rb);
+ }
+ #else
+ if (sessionIDLen > 0)
+ memcpy(charPtr, ctx->sessionID.data, sessionIDLen);
+ #endif /* SSL_IE_NULL_RESUME_BUG */
+ charPtr += sessionIDLen;
+ charPtr = SSLEncodeInt(charPtr, ctx->selectedCipher, 2);
+ *(charPtr++) = 0; /* Null compression */
+
+ sslLogNegotiateDebug("ssl3: server specifying cipherSuite 0x%lx",
+ (UInt32)ctx->selectedCipher);
+
+ assert(charPtr == serverHello->contents.data + serverHello->contents.length);
+
+ return noErr;
+}
+
+OSStatus
+SSLEncodeServerHelloVerifyRequest(SSLRecord *helloVerifyRequest, SSLContext *ctx)
+{ OSStatus err;
+ UInt8 *charPtr;
+ size_t msglen;
+ int head;
+
+ assert(ctx->protocolSide == kSSLServerSide);
+ assert(ctx->negProtocolVersion == DTLS_Version_1_0);
+ assert(ctx->dtlsCookie.length);
+
+ msglen = 3 + ctx->dtlsCookie.length;
+
+ helloVerifyRequest->protocolVersion = DTLS_Version_1_0;
+ helloVerifyRequest->contentType = SSL_RecordTypeHandshake;
+ head = SSLHandshakeHeaderSize(helloVerifyRequest);
+ if ((err = SSLAllocBuffer(&helloVerifyRequest->contents, msglen + head, ctx)) != 0)
+ return err;
+
+ charPtr = SSLEncodeHandshakeHeader(ctx, helloVerifyRequest, SSL_HdskHelloVerifyRequest, msglen);
+
+ charPtr = SSLEncodeInt(charPtr, helloVerifyRequest->protocolVersion, 2);
+
+ *charPtr++ = ctx->dtlsCookie.length;
+ memcpy(charPtr, ctx->dtlsCookie.data, ctx->dtlsCookie.length);
+ charPtr += ctx->dtlsCookie.length;
+
+ assert(charPtr == (helloVerifyRequest->contents.data + helloVerifyRequest->contents.length));
+
+ return noErr;
+}
+
+
+OSStatus
+SSLProcessServerHelloVerifyRequest(SSLBuffer message, SSLContext *ctx)
+{ OSStatus err;
+ SSLProtocolVersion protocolVersion;
+ unsigned int cookieLen;
+ UInt8 *p;
+
+ assert(ctx->protocolSide == kSSLClientSide);
+
+ /* TODO: those length values should not be hardcoded */
+ /* 3 bytes at least with empty cookie */
+ if (message.length < 3 ) {
+ sslErrorLog("SSLProcessServerHelloVerifyRequest: msg len error\n");
+ return errSSLProtocol;
+ }
+ p = message.data;
+
+ protocolVersion = (SSLProtocolVersion)SSLDecodeInt(p, 2);
+ p += 2;
+
+ /* TODO: Not clear what else to do with protocol version here */
+ if(protocolVersion != DTLS_Version_1_0) {
+ sslErrorLog("SSLProcessServerHelloVerifyRequest: protocol version error\n");
+ return errSSLProtocol;
+ }
+
+ cookieLen = *p++;
+ sslLogNegotiateDebug("cookieLen = %d, msglen=%d\n", cookieLen, message.length);
+ /* TODO: hardcoded '15' again */
+ if (message.length < (3 + cookieLen)) {
+ sslErrorLog("SSLProcessServerHelloVerifyRequest: msg len error 2\n");
+ return errSSLProtocol;
+ }
+
+ err = SSLAllocBuffer(&ctx->dtlsCookie, cookieLen, ctx);
+ if (err == 0)
+ memcpy(ctx->dtlsCookie.data, p, cookieLen);
+
+ return err;
+}
+
+static void
+SSLProcessServerHelloExtension_SecureRenegotiation(SSLContext *ctx, UInt16 extLen, UInt8 *p)
+{
+ if(extLen!= (1 + ctx->ownVerifyData.length + ctx->peerVerifyData.length))
+ return;
+
+ if(*p!=ctx->ownVerifyData.length + ctx->ownVerifyData.length)
+ return;
+ p++;
+
+ if(memcmp(p, ctx->ownVerifyData.data, ctx->ownVerifyData.length))
+ return;
+ p+=ctx->ownVerifyData.length;
+
+ if(memcmp(p, ctx->peerVerifyData.data, ctx->peerVerifyData.length))
+ return;
+
+ ctx->secure_renegotiation_received = true;
+}
+
+
+static OSStatus
+SSLProcessServerHelloExtensions(SSLContext *ctx, UInt16 extensionsLen, UInt8 *p)
+{
+ Boolean got_secure_renegotiation = false;
+ UInt16 remaining;
+
+ if(extensionsLen<2) {
+ sslErrorLog("SSLProcessHelloExtensions: need a least 2 bytes\n");
+ return errSSLProtocol;
+ }
+
+ remaining = SSLDecodeInt(p, 2); p+=2;
+ extensionsLen -=2;
+
+ /* remaining = number of bytes remaining to process according to buffer data */
+ /* extensionsLen = number of bytes in the buffer */
+
+ if(remaining>extensionsLen) {
+ sslErrorLog("SSLProcessHelloExtensions: ext len error 1\n");
+ return errSSLProtocol;
+ }
+
+ if(remaining<extensionsLen) {
+ sslErrorLog("Warning: SSLProcessServerHelloExtensions: Too many bytes\n");
+ }
+
+ while(remaining) {
+ UInt16 extType;
+ UInt16 extLen;
+
+ if (remaining<4) {
+ sslErrorLog("SSLProcessHelloExtensions: ext len error\n");
+ return errSSLProtocol;
+ }
+
+ extType = SSLDecodeInt(p, 2); p+=2;
+ extLen = SSLDecodeInt(p, 2); p+=2;
+
+ if (remaining<(4+extLen)) {
+ sslErrorLog("SSLProcessHelloExtension: ext len error 2\n");
+ return errSSLProtocol;
+ }
+ remaining -= (4+extLen);
+
+ switch (extType) {
+ case SSL_HE_SecureRenegotation:
+ if(got_secure_renegotiation)
+ return errSSLProtocol; /* Fail if we already processed one */
+ got_secure_renegotiation = true;
+ SSLProcessServerHelloExtension_SecureRenegotiation(ctx, extLen, p);
+ break;
+ default:
+ /*
+ Do nothing for other extensions. Per RFC 5246, we should (MUST) error
+ if we received extensions we didnt specify in the Client Hello.
+ Client should also abort handshake if multiple extensions of the same
+ type are found
+ */
+ break;
+ }
+ p+=extLen;
+ }
+
+ return noErr;
+}
+
+OSStatus
+SSLProcessServerHello(SSLBuffer message, SSLContext *ctx)
+{ OSStatus err;
+ SSLProtocolVersion protocolVersion, negVersion;
+ size_t sessionIDLen;
+ size_t extensionsLen;
+ UInt8 *p;
+
+ assert(ctx->protocolSide == kSSLClientSide);
+
+ if (message.length < 38) {
+ sslErrorLog("SSLProcessServerHello: msg len error\n");
+ return errSSLProtocol;
+ }
+ p = message.data;
+
+ protocolVersion = (SSLProtocolVersion)SSLDecodeInt(p, 2);
+ p += 2;
+ /* FIXME this should probably send appropriate alerts */
+ err = sslVerifyProtVersion(ctx, protocolVersion, &negVersion);
+ if(err) {
+ return err;
+ }
+ ctx->negProtocolVersion = negVersion;
+ switch(negVersion) {
+ case SSL_Version_3_0:
+ ctx->sslTslCalls = &Ssl3Callouts;
+ break;
+ case TLS_Version_1_0:
+ case TLS_Version_1_1:
+ case DTLS_Version_1_0:
+ ctx->sslTslCalls = &Tls1Callouts;
+ break;
+ case TLS_Version_1_2:
+ ctx->sslTslCalls = &Tls12Callouts;
+ break;
+ default:
+ return errSSLNegotiation;
+ }
+ sslLogNegotiateDebug("===SSL3 client: negVersion is %d_%d",
+ (negVersion >> 8) & 0xff, negVersion & 0xff);
+
+ memcpy(ctx->serverRandom, p, 32);
+ p += 32;
+
+ sessionIDLen = *p++;
+ if (message.length < (38 + sessionIDLen)) {
+ sslErrorLog("SSLProcessServerHello: msg len error 2\n");
+ return errSSLProtocol;
+ }
+ if (sessionIDLen > 0 && ctx->peerID.data != 0)
+ { /* Don't die on error; just treat it as an uncached session */
+ if (ctx->sessionID.data)
+ SSLFreeBuffer(&ctx->sessionID, ctx);
+ err = SSLAllocBuffer(&ctx->sessionID, sessionIDLen, ctx);
+ if (err == 0)
+ memcpy(ctx->sessionID.data, p, sessionIDLen);
+ }
+ p += sessionIDLen;
+
+ ctx->selectedCipher = (UInt16)SSLDecodeInt(p,2);
+ sslLogNegotiateDebug("===ssl3: server requests cipherKind %x",
+ (unsigned)ctx->selectedCipher);
+ p += 2;
+ if ((err = FindCipherSpec(ctx)) != 0) {
+ return err;
+ }
+
+ if (*p++ != 0) /* Compression */
+ return unimpErr;
+
+ /* Process ServerHello extensions */
+ extensionsLen = message.length - (38 + sessionIDLen);
+
+ if(extensionsLen) {
+ err = SSLProcessServerHelloExtensions(ctx, extensionsLen, p);
+ if(err)
+ return err;
+ }
+
+ /* RFC 5746: Make sure the renegotiation is secure */
+ if(ctx->secure_renegotiation && !ctx->secure_renegotiation_received)
+ return errSSLNegotiation;
+
+ if(ctx->secure_renegotiation_received)
+ ctx->secure_renegotiation = true;
+
+ /*
+ * Note: the server MAY send a SSL_HE_EC_PointFormats extension if
+ * we've negotiated an ECDSA ciphersuite...but
+ * a) the provided format list MUST contain SSL_PointFormatUncompressed per
+ * RFC 4492 5.2; and
+ * b) The uncompressed format is the only one we support.
+ *
+ * Thus we drop a possible incoming SSL_HE_EC_PointFormats extension here.
+ * IF we ever support other point formats, we have to parse the extension
+ * to see what the server supports.
+ */
+ return noErr;
+}
+
+OSStatus
+SSLEncodeClientHello(SSLRecord *clientHello, SSLContext *ctx)
+{
+ size_t length;
+ unsigned i;
+ OSStatus err;
+ unsigned char *p;
+ SSLBuffer sessionIdentifier = { 0, NULL };
+ size_t sessionIDLen;
+ size_t sessionTicketLen = 0;
+ size_t serverNameLen = 0;
+ size_t pointFormatLen = 0;
+ size_t suppCurveLen = 0;
+ size_t signatureAlgorithmsLen = 0;
+ size_t totalExtenLen = 0;
+ UInt16 numCipherSuites;
+ int head;
+
+ assert(ctx->protocolSide == kSSLClientSide);
+
+ clientHello->contents.length = 0;
+ clientHello->contents.data = NULL;
+
+ sessionIDLen = 0;
+ if (ctx->resumableSession.data != 0)
+ { if ((err = SSLRetrieveSessionID(ctx->resumableSession,
+ &sessionIdentifier, ctx)) != 0)
+ { return err;
+ }
+ sessionIDLen = sessionIdentifier.length;
+ }
+
+ /*
+ * Since we're not in SSLv2 compatibility mode, only count non-SSLv2 ciphers.
+ */
+#if ENABLE_SSLV2
+ numCipherSuites = ctx->numValidNonSSLv2Specs;
+#else
+ numCipherSuites = ctx->numValidCipherSuites;
+#endif
+
+ /* RFC 5746 : add the fake ciphersuite unless we are including the extension */
+ if(!ctx->secure_renegotiation)
+ numCipherSuites+=1;
+
+ length = 39 + 2*numCipherSuites + sessionIDLen;
+
+ err = sslGetMaxProtVersion(ctx, &clientHello->protocolVersion);
+ if(err) {
+ /* we don't have a protocol enabled */
+ goto err_exit;
+ }
+
+ /* RFC 5746: If are starting a new handshake, so we didnt received this yet */
+ ctx->secure_renegotiation_received = false;
+
+ /* If we already negotiated the protocol version previously,
+ we should just use that */
+ if(ctx->negProtocolVersion != SSL_Version_Undetermined) {
+ clientHello->protocolVersion = ctx->negProtocolVersion;
+ }
+
+#if ENABLE_DTLS
+ if(clientHello->protocolVersion == DTLS_Version_1_0) {
+ /* extra space for cookie */
+ /* TODO: cookie len - 0 for now */
+ length += 1 + ctx->dtlsCookie.length;
+ sslLogNegotiateDebug("==DTLS Hello: len=%lu\n", length);
+ }
+ /* Because of the way the version number for DTLS is encoded,
+ the following code mean that you can use extensions with DTLS... */
+#endif /* ENABLE_DTLS */
+
+ /* RFC 5746: We add the extension only for renegotiation ClientHello */
+ if(ctx->secure_renegotiation) {
+ totalExtenLen += 2 + /* extension type */
+ 2 + /* extension length */
+ 1 + /* lenght of renegotiated_conection (client verify data) */
+ ctx->ownVerifyData.length;
+ }
+
+ /* prepare for optional ClientHello extensions */
+ if((clientHello->protocolVersion >= TLS_Version_1_0) &&
+ (ctx->peerDomainName != NULL) &&
+ (ctx->peerDomainNameLen != 0)) {
+ serverNameLen = 2 + /* extension type */
+ 2 + /* 2-byte vector length, extension_data */
+ 2 + /* length of server_name_list */
+ 1 + /* length of name_type */
+ 2 + /* length of HostName */
+ ctx->peerDomainNameLen;
+ totalExtenLen += serverNameLen;
+ }
+ if(ctx->sessionTicket.length) {
+ sessionTicketLen = 2 + /* extension type */
+ 2 + /* 2-byte vector length, extension_data */
+ ctx->sessionTicket.length;
+ totalExtenLen += sessionTicketLen;
+ }
+ if((clientHello->protocolVersion >= TLS_Version_1_0) &&
+ (ctx->ecdsaEnable)) {
+ /* Two more extensions: point format, supported curves */
+ pointFormatLen = 2 + /* extension type */
+ 2 + /* 2-byte vector length, extension_data */
+ 1 + /* length of the ec_point_format_list */
+ 1; /* the single format we support */
+ suppCurveLen = 2 + /* extension type */
+ 2 + /* 2-byte vector length, extension_data */
+ 2 + /* length of the elliptic_curve_list */
+ (2 * ctx->ecdhNumCurves); /* each curve is 2 bytes */
+ totalExtenLen += (pointFormatLen + suppCurveLen);
+ }
+ if(ctx->isDTLS
+ ? clientHello->protocolVersion < DTLS_Version_1_0
+ : clientHello->protocolVersion >= TLS_Version_1_2) {
+ signatureAlgorithmsLen = 2 + /* extension type */
+ 2 + /* 2-byte vector length, extension_data */
+ 2 + /* length of signatureAlgorithms list */
+ 2 * (ctx->ecdsaEnable ? 5 : 3); //FIXME: 5:3 should not be hardcoded here.
+ totalExtenLen += signatureAlgorithmsLen;
+ }
+ if(totalExtenLen != 0) {
+ /*
+ * Total length extensions have to fit in a 16 bit field...
+ */
+ if(totalExtenLen > 0xffff) {
+ sslErrorLog("Total extensions length EXCEEDED\n");
+ totalExtenLen = 0;
+ sessionTicketLen = 0;
+ serverNameLen = 0;
+ pointFormatLen = 0;
+ suppCurveLen = 0;
+ signatureAlgorithmsLen = 0;
+ }
+ else {
+ /* add length of total length plus lengths of extensions */
+ length += (totalExtenLen + 2);
+ }
+ }
+
+ clientHello->contentType = SSL_RecordTypeHandshake;
+ head = SSLHandshakeHeaderSize(clientHello);
+ if ((err = SSLAllocBuffer(&clientHello->contents, length + head, ctx)) != 0)
+ goto err_exit;
+
+ p = SSLEncodeHandshakeHeader(ctx, clientHello, SSL_HdskClientHello, length);
+
+ p = SSLEncodeInt(p, clientHello->protocolVersion, 2);
+
+ sslLogNegotiateDebug("===SSL3 client: proclaiming max protocol "
+ "%d_%d capable ONLY",
+ clientHello->protocolVersion >> 8, clientHello->protocolVersion & 0xff);
+ if ((err = SSLEncodeRandom(p, ctx)) != 0)
+ { goto err_exit;
+ }
+ memcpy(ctx->clientRandom, p, SSL_CLIENT_SRVR_RAND_SIZE);
+ p += 32;
+ *p++ = sessionIDLen; /* 1 byte vector length */
+ if (sessionIDLen > 0)
+ { memcpy(p, sessionIdentifier.data, sessionIDLen);
+ }
+ p += sessionIDLen;
+#if ENABLE_DTLS
+ if (clientHello->protocolVersion == DTLS_Version_1_0) {
+ /* TODO: Add the cookie ! Currently: size=0 -> no cookie */
+ *p++ = ctx->dtlsCookie.length;
+ if(ctx->dtlsCookie.length) {
+ memcpy(p, ctx->dtlsCookie.data, ctx->dtlsCookie.length);
+ p+=ctx->dtlsCookie.length;
+ }
+ sslLogNegotiateDebug("==DTLS Hello: cookie len = %d\n",ctx->dtlsCookie.length);
+ }
+#endif
+
+
+ p = SSLEncodeInt(p, 2*numCipherSuites, 2);
+ /* 2 byte long vector length */
+
+ /* RFC 5746 : add the fake ciphersuite unless we are including the extension */
+ if(!ctx->secure_renegotiation)
+ p = SSLEncodeInt(p, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, 2);
+
+ for (i = 0; i<ctx->numValidCipherSuites; ++i) {
+#if ENABLE_SSLV2
+ if(CIPHER_SUITE_IS_SSLv2(ctx->validCipherSuites[i])) {
+ continue;
+ }
+#endif
+ sslLogNegotiateDebug("ssl3EncodeClientHello sending suite %x",
+ (unsigned)ctx->validCipherSuites[i]);
+ p = SSLEncodeInt(p, ctx->validCipherSuites[i], 2);
+ }
+ *p++ = 1; /* 1 byte long vector */
+ *p++ = 0; /* null compression */
+
+ /*
+ * Append ClientHello extensions.
+ */
+ if(totalExtenLen != 0) {
+ /* first, total length of all extensions */
+ p = SSLEncodeSize(p, totalExtenLen, 2);
+ }
+ if(ctx->secure_renegotiation){
+ assert(ctx->ownVerifyData.length<=255);
+ p = SSLEncodeInt(p, SSL_HE_SecureRenegotation, 2);
+ p = SSLEncodeSize(p, ctx->ownVerifyData.length+1, 2);
+ p = SSLEncodeSize(p, ctx->ownVerifyData.length, 1);
+ memcpy(p, ctx->ownVerifyData.data, ctx->ownVerifyData.length);
+ p += ctx->ownVerifyData.length;
+ }
+ if(sessionTicketLen) {
+ sslEapDebug("Adding %lu bytes of sessionTicket to ClientHello",
+ ctx->sessionTicket.length);
+ p = SSLEncodeInt(p, SSL_HE_SessionTicket, 2);
+ p = SSLEncodeSize(p, ctx->sessionTicket.length, 2);
+ memcpy(p, ctx->sessionTicket.data, ctx->sessionTicket.length);
+ p += ctx->sessionTicket.length;
+ }
+ if(serverNameLen) {
+ sslEapDebug("Specifying ServerNameIndication");
+ p = SSLEncodeInt(p, SSL_HE_ServerName, 2);
+ p = SSLEncodeSize(p, ctx->peerDomainNameLen + 5, 2);
+ p = SSLEncodeSize(p, ctx->peerDomainNameLen + 3, 2);
+ p = SSLEncodeInt(p, SSL_NT_HostName, 1);
+ p = SSLEncodeSize(p, ctx->peerDomainNameLen, 2);
+ memcpy(p, ctx->peerDomainName, ctx->peerDomainNameLen);
+ p += ctx->peerDomainNameLen;
+ }
+ if(suppCurveLen) {
+ UInt32 len = 2 * ctx->ecdhNumCurves;
+ unsigned dex;
+ p = SSLEncodeInt(p, SSL_HE_EllipticCurves, 2);
+ p = SSLEncodeSize(p, len+2, 2); /* length of extension data */
+ p = SSLEncodeSize(p, len, 2); /* length of elliptic_curve_list */
+ for(dex=0; dex<ctx->ecdhNumCurves; dex++) {
+ sslEcdsaDebug("+++ adding supported curves %u to ClientHello",
+ (unsigned)ctx->ecdhCurves[dex]);
+ p = SSLEncodeInt(p, ctx->ecdhCurves[dex], 2);
+ }
+ }
+ if(pointFormatLen) {
+ sslEcdsaDebug("+++ adding point format to ClientHello");
+ p = SSLEncodeInt(p, SSL_HE_EC_PointFormats, 2);
+ p = SSLEncodeSize(p, 2, 2); /* length of extension data */
+ p = SSLEncodeSize(p, 1, 1); /* length of ec_point_format_list */
+ p = SSLEncodeInt(p, SSL_PointFormatUncompressed, 1);
+ }
+ if (signatureAlgorithmsLen) {
+ sslEcdsaDebug("+++ adding signature algorithms to ClientHello");
+ /* TODO: Don't hardcode this */
+ /* We dont support SHA512 or SHA224 because we didnot implement the digest abstraction for those
+ and we dont keep a running hash for those.
+ We dont support SHA384/ECDSA because corecrypto ec does not support it with 256 bits curves */
+ UInt32 len = 2 * (ctx->ecdsaEnable ? 5 : 3); //FIXME: 5:3 should not be hardcoded here.
+ p = SSLEncodeInt(p, SSL_HE_SignatureAlgorithms, 2);
+ p = SSLEncodeSize(p, len+2, 2); /* length of extension data */
+ p = SSLEncodeSize(p, len, 2); /* length of extension data */
+ // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA512, 1);
+ // p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
+ p = SSLEncodeInt(p, SSL_HashAlgorithmSHA384, 1);
+ p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
+ p = SSLEncodeInt(p, SSL_HashAlgorithmSHA256, 1);
+ p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
+ // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA224, 1);
+ // p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
+ p = SSLEncodeInt(p, SSL_HashAlgorithmSHA1, 1);
+ p = SSLEncodeInt(p, SSL_SignatureAlgorithmRSA, 1);
+ if (ctx->ecdsaEnable) {
+ // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA512, 1);
+ // p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
+ // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA384, 1);
+ // p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
+ p = SSLEncodeInt(p, SSL_HashAlgorithmSHA256, 1);
+ p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
+ // p = SSLEncodeInt(p, SSL_HashAlgorithmSHA224, 1);
+ // p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
+ p = SSLEncodeInt(p, SSL_HashAlgorithmSHA1, 1);
+ p = SSLEncodeInt(p, SSL_SignatureAlgorithmECDSA, 1);
+ }
+ }
+
+ sslLogNegotiateDebug("Client Hello : data=%p p=%p len=%08x\n", clientHello->contents.data, p, clientHello->contents.length);
+
+ assert(p == clientHello->contents.data + clientHello->contents.length);
+
+ if ((err = SSLInitMessageHashes(ctx)) != 0)
+ goto err_exit;
+
+err_exit:
+ if (err != 0) {
+ SSLFreeBuffer(&clientHello->contents, ctx);
+ }
+ SSLFreeBuffer(&sessionIdentifier, ctx);
+
+ return err;
+}
+
+OSStatus
+SSLProcessClientHello(SSLBuffer message, SSLContext *ctx)
+{ OSStatus err;
+ SSLProtocolVersion negVersion;
+ UInt16 cipherListLen, cipherCount, desiredSuite, cipherSuite;
+ UInt8 sessionIDLen, compressionCount;
+ UInt8 *charPtr;
+ unsigned i;
+ UInt8 *eom; /* end of message */
+
+ if (message.length < 41) {
+ sslErrorLog("SSLProcessClientHello: msg len error 1\n");
+ return errSSLProtocol;
+ }
+ charPtr = message.data;
+ eom = charPtr + message.length;
+ ctx->clientReqProtocol = (SSLProtocolVersion)SSLDecodeInt(charPtr, 2);
+ charPtr += 2;
+ err = sslVerifyProtVersion(ctx, ctx->clientReqProtocol, &negVersion);
+ if(err) {
+ sslErrorLog("SSLProcessClientHello: protocol version error %04x - %04x\n", ctx->clientReqProtocol, negVersion);
+ return err;
+ }
+ switch(negVersion) {
+ case SSL_Version_3_0:
+ ctx->sslTslCalls = &Ssl3Callouts;
+ break;
+ case TLS_Version_1_0:
+ case TLS_Version_1_1:
+ case DTLS_Version_1_0:
+ ctx->sslTslCalls = &Tls1Callouts;
+ break;
+ case TLS_Version_1_2:
+ ctx->sslTslCalls = &Tls12Callouts;
+ break;
+ default:
+ return errSSLNegotiation;
+ }
+ ctx->negProtocolVersion = negVersion;
+ sslLogNegotiateDebug("===SSL3 server: negVersion is %d_%d",
+ negVersion >> 8, negVersion & 0xff);
+
+ memcpy(ctx->clientRandom, charPtr, SSL_CLIENT_SRVR_RAND_SIZE);
+ charPtr += 32;
+ sessionIDLen = *(charPtr++);
+ if (message.length < (unsigned)(41 + sessionIDLen)) {
+ sslErrorLog("SSLProcessClientHello: msg len error 2\n");
+ return errSSLProtocol;
+ }
+ /* FIXME peerID is never set on server side.... */
+ if (sessionIDLen > 0 && ctx->peerID.data != 0)
+ { /* Don't die on error; just treat it as an uncacheable session */
+ err = SSLAllocBuffer(&ctx->sessionID, sessionIDLen, ctx);
+ if (err == 0)
+ memcpy(ctx->sessionID.data, charPtr, sessionIDLen);
+ }
+ charPtr += sessionIDLen;
+
+#if ENABLE_DTLS
+ /* TODO: actually do something with this cookie */
+ if(negVersion==DTLS_Version_1_0) {
+ UInt8 cookieLen = *charPtr++;
+
+ sslLogNegotiateDebug("cookieLen=%d\n", cookieLen);
+
+ if((ctx->dtlsCookie.length==0) || ((cookieLen==ctx->dtlsCookie.length) && (memcmp(ctx->dtlsCookie.data, charPtr, cookieLen)==0)))
+ {
+ ctx->cookieVerified=true;
+ } else {
+ ctx->cookieVerified=false;
+ }
+
+ charPtr+=cookieLen;
+ }
+
+ /* TODO: if we are about to send a HelloVerifyRequest, we probably dont need to process the cipherspecs */
+#endif
+
+ cipherListLen = (UInt16)SSLDecodeInt(charPtr, 2);
+ /* Count of cipherSuites, must be even & >= 2 */
+ charPtr += 2;
+ if((charPtr + cipherListLen) > eom) {
+ sslErrorLog("SSLProcessClientHello: msg len error 5\n");
+ return errSSLProtocol;
+ }
+ if ((cipherListLen & 1) ||
+ (cipherListLen < 2) ||
+ (message.length < (unsigned)(39 + sessionIDLen + cipherListLen))) {
+ sslErrorLog("SSLProcessClientHello: msg len error 3\n");
+ return errSSLProtocol;
+ }
+ cipherCount = cipherListLen/2;
+ cipherSuite = 0xFFFF; /* No match marker */
+ while (cipherSuite == 0xFFFF && cipherCount--)
+ { desiredSuite = (UInt16)SSLDecodeInt(charPtr, 2);
+ charPtr += 2;
+ for (i = 0; i <ctx->numValidCipherSuites; i++)
+ { if (ctx->validCipherSuites[i] == desiredSuite)
+ { cipherSuite = desiredSuite;
+ break;
+ }
+ }
+ }
+
+ if (cipherSuite == 0xFFFF)
+ return errSSLNegotiation;
+ charPtr += 2 * cipherCount; /* Advance past unchecked cipherCounts */
+ ctx->selectedCipher = cipherSuite;
+ /* validate cipher later, after we get possible sessionTicket */
+
+ compressionCount = *(charPtr++);
+ if ((compressionCount < 1) ||
+ (message.length <
+ (unsigned)(38 + sessionIDLen + cipherListLen + compressionCount))) {
+ sslErrorLog("SSLProcessClientHello: msg len error 4\n");
+ return errSSLProtocol;
+ }
+ /* Ignore list; we're doing null */
+
+ /*
+ * Handle ClientHello extensions.
+ */
+ /* skip compression list */
+ charPtr += compressionCount;
+ if(charPtr < eom) {
+ ptrdiff_t remLen = eom - charPtr;
+ UInt32 totalExtensLen;
+ UInt32 extenType;
+ UInt32 extenLen;
+ if(remLen < 6) {
+ /*
+ * Not enough for extension type and length, but not an error...
+ * skip it and proceed.
+ */
+ sslEapDebug("SSLProcessClientHello: too small for any extension");
+ goto proceed;
+ }
+ totalExtensLen = SSLDecodeInt(charPtr, 2);
+ charPtr += 2;
+ if((charPtr + totalExtensLen) > eom) {
+ sslEapDebug("SSLProcessClientHello: too small for specified total_extension_length");
+ goto proceed;
+ }
+ while(charPtr < eom) {
+ extenType = SSLDecodeInt(charPtr, 2);
+ charPtr += 2;
+ extenLen = SSLDecodeInt(charPtr, 2);
+ charPtr += 2;
+ if((charPtr + extenLen) > eom) {
+ sslEapDebug("SSLProcessClientHello: too small for specified extension_length");
+ break;
+ }
+ switch(extenType) {
+#if SSL_PAC_SERVER_ENABLE
+
+ case SSL_HE_SessionTicket:
+ SSLFreeBuffer(&ctx->sessionTicket, NULL);
+ SSLCopyBufferFromData(charPtr, extenLen, &ctx->sessionTicket);
+ sslEapDebug("Saved %lu bytes of sessionTicket from ClientHello",
+ (unsigned long)extenLen);
+ break;
+#endif
+ case SSL_HE_ServerName:
+ {
+ /*
+ * This is for debug only (it's disabled for Deployment builds).
+ * Someday, I imagine we'll have a getter in the API to get this info.
+ */
+ UInt8 *cp = charPtr;
+ UInt32 v = SSLDecodeInt(cp, 2);
+ cp += 2;
+ sslEapDebug("SSL_HE_ServerName: length of server_name_list %lu",
+ (unsigned long)v);
+ v = SSLDecodeInt(cp, 1);
+ cp++;
+ sslEapDebug("SSL_HE_ServerName: name_type %lu", (unsigned long)v);
+ v = SSLDecodeInt(cp, 2);
+ cp += 2;
+ sslEapDebug("SSL_HE_ServerName: length of HostName %lu",
+ (unsigned long)v);
+ char hostString[v + 1];
+ memmove(hostString, cp, v);
+ hostString[v] = '\0';
+ sslEapDebug("SSL_HE_ServerName: ServerName '%s'", hostString);
+ break;
+ }
+ case SSL_HE_SignatureAlgorithms:
+ {
+ UInt8 *cp = charPtr, *end = charPtr + extenLen;
+ UInt32 sigAlgsSize = SSLDecodeInt(cp, 2);
+ cp += 2;
+
+ if (extenLen != sigAlgsSize + 2 || extenLen & 1 || sigAlgsSize & 1) {
+ sslEapDebug("SSL_HE_SignatureAlgorithms: odd length of signature algorithms list %lu %lu",
+ (unsigned long)extenLen, (unsigned long)sigAlgsSize);
+ break;
+ }
+
+ ctx->numClientSigAlgs = sigAlgsSize / 2;
+ if(ctx->clientSigAlgs != NULL) {
+ sslFree(ctx->clientSigAlgs);
+ }
+ ctx->clientSigAlgs = (SSLSignatureAndHashAlgorithm *)
+ sslMalloc((ctx->numClientSigAlgs) * sizeof(SSLSignatureAndHashAlgorithm));
+ for(i=0; i<ctx->numClientSigAlgs; i++) {
+ /* TODO: Validate hash and signature fields. */
+ ctx->clientSigAlgs[i].hash = *cp++;
+ ctx->clientSigAlgs[i].signature = *cp++;
+ sslLogNegotiateDebug("===Client specifies sigAlg %d %d",
+ ctx->clientSigAlgs[i].hash,
+ ctx->clientSigAlgs[i].signature);
+ }
+ assert(cp==end);
+ break;
+ }
+ default:
+ sslEapDebug("SSLProcessClientHello: unknown extenType (%lu)",
+ (unsigned long)extenType);
+ break;
+ }
+ charPtr += extenLen;
+ }
+ }
+proceed:
+ if ((err = FindCipherSpec(ctx)) != 0) {
+ return err;
+ }
+ sslLogNegotiateDebug("ssl3 server: selecting cipherKind 0x%x", (unsigned)ctx->selectedCipher);
+ if ((err = SSLInitMessageHashes(ctx)) != 0)
+ return err;
+
+ return noErr;
+}
+
+OSStatus
+SSLEncodeRandom(unsigned char *p, SSLContext *ctx)
+{ SSLBuffer randomData;
+ OSStatus err;
+ uint32_t now;
+
+ if ((err = sslTime(&now)) != 0)
+ return err;
+ SSLEncodeInt(p, now, 4);
+ randomData.data = p+4;
+ randomData.length = 28;
+ if((err = sslRand(ctx, &randomData)) != 0)
+ return err;
+ return noErr;
+}
+
+OSStatus
+SSLInitMessageHashes(SSLContext *ctx)
+{ OSStatus err;
+
+ if ((err = CloseHash(&SSLHashSHA1, &ctx->shaState, ctx)) != 0)
+ return err;
+ if ((err = CloseHash(&SSLHashMD5, &ctx->md5State, ctx)) != 0)
+ return err;
+ if ((err = CloseHash(&SSLHashSHA256, &ctx->sha256State, ctx)) != 0)
+ return err;
+ if ((err = CloseHash(&SSLHashSHA384, &ctx->sha512State, ctx)) != 0)
+ return err;
+ if ((err = ReadyHash(&SSLHashSHA1, &ctx->shaState, ctx)) != 0)
+ return err;
+ if ((err = ReadyHash(&SSLHashMD5, &ctx->md5State, ctx)) != 0)
+ return err;
+ if ((err = ReadyHash(&SSLHashSHA256, &ctx->sha256State, ctx)) != 0)
+ return err;
+ if ((err = ReadyHash(&SSLHashSHA384, &ctx->sha512State, ctx)) != 0)
+ return err;
+ return noErr;
+}
projects / apple / security.git / blobdiff